Should I add application.properties to .gitignore if the Git repository is private and both the server and DB are on an internal network?

Question

I have a Git repository that is private, and the server and database it supports are both fully contained within an internal network. The application.properties file in my project contains sensitive information such as database credentials and server configuration details.

Given the following context:

1. The Git repository is private.
2. Both the server and database are isolated and not exposed to the public internet.
3. Only trusted team members have access to the repository and the internal network.

Do I still need to add the application.properties file to .gitignore, or is it safe to keep it in the repository?

I understand that .gitignore is commonly used to prevent sensitive files from being committed, but since this is a private and secured setup, I am unsure if this step is necessary. Are there potential risks or best practices I should consider even in this setup?

I’m looking for guidance on whether I should:

• Add application.properties to .gitignore and manage sensitive data separately (e.g., environment variables or a secrets manager).
• Leave it as part of the repository, given the private and isolated environment.

Any advice or insights would be appreciated 👍

Thank you!

Answer 1

The answer is YES

If you use GitHub or other similar resources, even though they were trustworthy so far, out of principle never ever push your secrets to servers you do not fully control.

It is like telling all your secrets in private to someone who proved to be trustworthy. You wouldn't feel too safe while doing so. What if GitHub's server is hijacked, someone leaks out your secrets, etc.?

And even if you do not use GitHub and you only have a git repo on the server. Developers will eventually clone it to their development machines and by accident leak the information. And then you will have problems.